Defence IT blamed in vetting fiasco

An investigation into the falsification of data used in security clearances has criticised the Department of Defence's IT systems for security vetting, recommending that they be upgraded as a matter of priority.

An investigation into the falsification of data used in security clearances has criticised the Department of Defence's IT systems for security vetting, recommending that they be upgraded as a matter of priority.

"These clearances were being done for military personnel, for government employees of all kinds across the board in different areas. Including, you know, those that were working in any sensitive area," one of the whistleblowers said at the time.

Defence started an investigation into the allegations, and yesterday the results of the investigation were released.

Dr Vivienne Thorn, inspector-general of Intelligence and Security, found that the substance of the allegations from the former workers was true; incorrect data had been entered during the Defence Security Agency (DSA) vetting process, and was submitted to the Australian Security and Intelligence Organisation (ASIO).

The DSA had a different standard for data quality than ASIO, which meant that when information was sent from the DSA to ASIO over a data link, the DSA would receive an error report hundreds of pages long. With staff under pressure, "workarounds" occurred, according to the inspector-general's report.

"With the significant numbers of data-transfer errors generated following the switch to electronic transfer of data, and with staff under pressure to clear back logs, it has become apparent that a number of 'workarounds' eventuated. In some cases, staff would legitimately fill in missing data, such as searching for a postcode for a suburb or changing the state from the full name (New South Wales) to the three-letter acronym (NSW)."

Sometimes, though, the filled-in data was not legitimate.

"It has been suggested by some staff and senior management that 'dummy data' was put in to [the system] as a place holder, to get the ASIO request to proceed, and staff would correct the data once they had obtained the missing information from the applicant if possible, and, if warranted, pass the revised information to ASIO. The small sample of files we reviewed, including a sample of those files that were processed by staff who said they always corrected the data, demonstrated that generally the data was not actually corrected at a later stage," she said.

This behaviour wasn't necessarily widespread, according to the inspector-general, but was concerning enough to compromise the vetting database.

"Although I have not established the actual extent to which these practices and incidents actually occurred, the fact that so many were readily identified does demonstrate that many staff had serious concerns about the integrity of the vetting process."

She said that the problem had been caused by inadequate training and management oversight, poor documentation and record keeping and bad information technology (IT) systems. She made a number of recommendations, all of which the government has agreed to.

The Australian Government Security Vetting Agency (AGSVA) team has already started acting on the recommendations. For example, it has already started to validate all of the information used for security assessments granted since 2009. If information is found to have been changed without justification, then the right information will be found and provided, with ASIO to make certain that clearances were provided correctly.

The inspector-general said, however, that the checking of the compromised data wouldn't fix the problem, because unauthorised and unaudited users are allowed access to the IT systems. She said that access needs to be limited to a small number of authorised staff. The current system used in vetting is the Personnel Security Assessment Management System (PSAMS) database, introduced in November 1997 to support the vetting process. The database stores information about people seeking or holding clearances, such as relatives, education, employment and finances.

The system has segments that aren't supported anymore by original vendors, and are outdated, the report read. There were "negligible data-quality checks" built in to the application, and the same piece of information could be represented in different ways, depending on how the data-entry operator decided to enter it. There is also a web-based interface for applicants to enter their own information, which was launched in 2004. It was used to allow applicants to upload data to PSAMS.

A review of security and clearance processes in 2006 and 2007 found that vetting processes were mainly manual and paper based. It suggested upgrading the IT systems to provide greater automation. The upgrade, which started in November 2007, was to make the web portal available outside of the defence network, and would introduce rules to remove data-quality issues before the information from the web portal was transferred to PSAMS. The PSAMS system itself was to be revamped to include electronic records management and workflow management. However, this upgrade wasn't a high priority within the Department of Defence, despite the fact that the system was required for the vetting agency to handle the workload it faced.

The web-portal upgrade didn't happen until September 2010, and even then it had unresolved issues and errors, which the inspector-general said had finally been solved at the end of last year. The PSAMS upgrade, which was supposed to be finished in March 2010, won't be completed until March this year.

The inspector-general suggested that the agency review its IT systems' user controls and audit capability, and take action where necessary. She also recommended that the implementation of a new security system needs high priority in the department's IT program.

A project board has already been established to oversee the implementation of the new vetting system, which will be called the Personnel Security Assessment Management System 2 (PSAMS2). A project team has also been established to drive the delivery of the program, and the transition from the first version of the system. A "leading IT firm" has been engaged to develop a project-definition statement to lead the transition.